You can’t hide from Cookiebot

If you think clearing your browser cookies is enough to prevent you from being monitored, think again. The tracking industry is always coming up with new methods, and now it’s even possible to recognise users via hidden ultrasound signals in ads and browser shadow data.

There's no cause for concern though, as Cookiebot scans your website for all types of tracking, and provides you with insight into which third-party services are monitoring your users and which locations in the world they send information to.

■ Tighter privacy protection regulations

The regulations on the use of cookies and similar tracking technologies will become significantly tighter in an upcoming EU directive. The first draft by the European Commission makes it clear that companies run the risk of being fined with an amount equivalent to 4 percent of their annual global revenue. User consent is still required, however with an emphasis on the fact that only cookies that are absolutely necessary are set before the user has given express consent.

The new regulations don’t only apply to cookies – they include all types of tracking technologies. A few types of first-party cookies for statistics are exempt from the regulations, but they do not under any circumstances exempt cookies that are set by third parties, e.g. Google Analytics.

The amendment is implemented as a regulation that succeeds the existing ePrivacy directive from 2009, the so called “cookie law”. It ensures that the regulations are consistent across all EU member states and that they also apply to companies in countries outside the EU, if their websites have visitors from EU member states. The final regulations are expected to gain legal force on 25 May 2018, in connection with the General Data Protection Regulation - GDPR.

Cookiebot already meets the requirements of both regulations, for instance by enabling the implementation of ‘prior consent’, by documenting the users’ individual consents and by making it easy for users to change or withdraw their consent, as required by the GDPR. The commission also suggests that users are offered the opportunity to regulate the extent of a consent across different types of cookies. This means, for instance, that it should be possible to opt out of marketing cookies while allowing preference and statistics cookies, which is already possible with Cookiebot’s multilevel consent type.

■ Monitor where your customer data ends up

Whether data on your website users is sent to the EU, USA, Russia or China via embedded third-party services is important to know when complying with EU’s General Data Production Regulation. Cookiebot therefore also registers IP numbers and the country in question, together with example values of the data sent from the website to the various third parties via cookies and other trackers. The information is available both in the monthly scanning reports from Cookiebot and in the cookie data, which can be downloaded from the Cookiebot Manager.

■ Cookiebot listens to your website

Cookiebot is the only cookie scanner on the market that is capable of listening to your website. Contrary to you and me, the scanner is able to register high-frequency sounds, which is what the tracking industry is currently using in their efforts to recognise users across devices. The tracking takes place by transmitting ultrasound in online ads, TV ads etc., which apps on your computer, mobile phone or tablet subsequently listen to. When a certain signal is received, your devices can be connected to you as a person, which is of great value for the tracking industry.

These kind of ultrasound beacons are now registered in Cookiebot as audio trackers. The Cookiebot Manager displays details on such trackers, including a picture of the sound-frequency profile.

■ Clearing cookies isn’t enough

Many companies, consumer organisations and agencies recommend users to clear their browser cookies every time they’ve used the internet, if they want to avoid being tracked. This method doesn’t only affect the usability, it also creates a false sense of security, as a copy of the cookie data can easily be stored in the browser in other ways, for instance by using the IndexedDB database technology, which is built into all of todays’ browsers.

Such shadow data is not necessarily deleted when deleting cookies from one’s browser. Since data in IndexedDB are associated with a domain in the same way as traditional third party cookies, the website and its embedded tracking services can unimpededly recreate the cookie data and recognise users during subsequent visits. As such, removing cookies has no real effect, other than causing users to lose the advantages of cookies, for instance not having to log in or saving preferences. Only by using the “incognito” mode in browsers will shadow data also be removed when the browser is closed.

Websites that use Cookiebot with prior consent contribute to minimising unnecessary user behaviour, such as removing cookies and the use of ad blocker software etc., by offering the users an actual choice as far as tracking is concerned. At the same time, Cookiebot’s API ensures that all types of trackers, including IndexedDB, are blocked in accordance with the user’s consent, i.e. not just general HTTP cookies.

■ Design your own cookie declaration

If you have a tech whiz or webhost with knowledge of XSLT, it is now possible to design your own cookie statement for your website. Under the new “Declaration” tab in the Cookiebot Manager, you can choose between the standard layout or save an XSLT definition of the layout. Click the grey question mark at the top of the XSLT editor for an overview of the XML data fields that can be included in the declaration.

■ Modified redirect principles

Some websites redirect users to other websites when clicking links that directly refer to pages in the website’s own domain, although they actually redirect users to third-party websites. So far, Cookiebot has registered all cookies that are set in the user’s browser during the entire redirect process, i.e. also on the third party landing pages, based on an observation that, in general, users believe that the links in question redirect to pages on the current website.

It is now clear that only the landing page owner is responsible for complying with the cookie regulations on its own domain. On this basis, we have changed the principle for logging cookies during redirects: from now on, only the cookies that are set via an own domain are logged, not the ones that are set after redirects to external landing pages take place.

The final declaration will be shown as embedded content in your own website. The content is automatically formatted with your website's overall style sheet definitions (CSS), including fonts and colors.